tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 10 Pull requests Activity

Add heisenbridge #80

Manually merged
tlater merged 3 commits from tlater/heisenbridge into master 2023-02-28 04:33:55 +00:00
Conversation 0 Commits 3 Files changed 8 +136 -35
8 changed files with 136 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

4
configuration/default.nix
View file

@ -3,9 +3,13 @@
pkgs,
lib,
modulesPath,
flake-inputs,
...
}: {
imports = [
flake-inputs.sops-nix.nixosModules.sops
flake-inputs.tlaternet-webserver.nixosModules.default
"${modulesPath}/profiles/headless.nix"
"${modulesPath}/profiles/minimal.nix"
(import ../modules)

84
configuration/services/conduit.nix
View file

@ -1,6 +1,8 @@
{
pkgs,
config,
lib,
flake-inputs,
...
}: let
inherit (lib.strings) concatMapStringsSep;
@ -11,6 +13,7 @@
in {
services.matrix-conduit = {
enable = true;
package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.matrix-conduit;
settings.global = {
address = "127.0.0.1";
server_name = domain;
@ -28,6 +31,87 @@ in {
};
};
systemd.services.heisenbridge = let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON {
id = "heisenbridge";
url = "http://127.0.0.1:9898";
as_token = "@AS_TOKEN@";
hs_token = "@HS_TOKEN@";
rate_limited = false;
sender_localpart = "heisenbridge";
namespaces = {
users = [
{
regex = "@irc_.*";
exclusive = true;
}
{
regex = "@heisenbridge:.*";
exclusive = true;
}
];
aliases = [];
rooms = [];
};
});
# TODO(tlater): Starting with systemd 253 it will become possible
# to do the credential setup as part of ExecStartPre/preStart
# instead.
#
# This will also make it possible to actually set caps on the
# heisenbridge process using systemd, so that we can run the
# identd process.
execScript = pkgs.writeShellScript "heisenbridge" ''
cp ${registrationFile} "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
chmod 600 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
${replaceSecretBin} '@AS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_as-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
${replaceSecretBin} '@HS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_hs-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
chmod 400 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
${pkgs.heisenbridge}/bin/heisenbridge \
--config $RUNTIME_DIRECTORY/heisenbridge-registration.yaml \
--owner @tlater:matrix.tlater.net \
'http://localhost:${toString cfg.settings.global.port}'
'';
in {
description = "Matrix<->IRC bridge";
wantedBy = ["multi-user.target"];
after = ["conduit.service"];
serviceConfig = {
Type = "simple";
LoadCredential = "heisenbridge:/run/secrets/heisenbridge";
ExecStart = execScript;
DynamicUser = true;
RuntimeDirectory = "heisenbridge";
RuntimeDirectoryMode = "0700";
RestrictNamespaces = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = ["AF_INET AF_INET6"];
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
ProcSubset = "pid";
UMask = 0077;
# For the identd port
# CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
# AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
};
};
# Pass in the TURN secret via EnvironmentFile, not supported by
# upstream module currently.
#

2
configuration/sops.nix
View file

@ -6,6 +6,8 @@
group = "nextcloud";
};
secrets."steam/tlater" = {};
secrets."heisenbridge/as-token" = {};
secrets."heisenbridge/hs-token" = {};
secrets."turn/env" = {};
secrets."turn/secret" = {
owner = "turnserver";

17
flake.lock generated
View file

@ -378,6 +378,22 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1677342105,
"narHash": "sha256-kv1fpkfCJGb0M+LZaCHFUuIS9kRIwyVgupHu86Y28nc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b1f87ca164a9684404c8829b851c3586c4d9f089",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1673345971,
@ -479,6 +495,7 @@
"inputs": {
"deploy-rs": "deploy-rs",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"nvfetcher": "nvfetcher",
"sops-nix": "sops-nix",
"tlaternet-webserver": "tlaternet-webserver"

28
flake.nix
View file

@ -3,6 +3,7 @@
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
deploy-rs.url = "github:serokell/deploy-rs";
sops-nix = {
url = "github:Mic92/sops-nix";
@ -24,8 +25,8 @@
sops-nix,
nvfetcher,
deploy-rs,
tlaternet-webserver,
}: let
...
} @ inputs: let
system = "x86_64-linux";
in {
##################
@ -33,9 +34,14 @@
##################
nixosConfigurations = {
# The actual system definition
tlaternet = self.lib.makeNixosSystem {
tlaternet = nixpkgs.lib.nixosSystem {
inherit system;
extraModules = [(import ./configuration/hardware-specific/linode)];
specialArgs.flake-inputs = inputs;
modules = [
./configuration
./configuration/hardware-specific/linode
];
};
};
@ -63,19 +69,21 @@
####################
# Helper functions #
####################
lib = import ./lib {
inherit nixpkgs sops-nix tlaternet-webserver;
lib = nixpkgs.lib;
};
lib = import ./lib {inherit (nixpkgs) lib;};
###################
# Utility scripts #
###################
packages.${system} = let
inherit (nixpkgs.legacyPackages.${system}) writeShellScript;
vm = self.lib.makeNixosSystem {
vm = nixpkgs.lib.nixosSystem {
inherit system;
extraModules = [(import ./configuration/hardware-specific/vm.nix)];
specialArgs.flake-inputs = inputs;
modules = [
./configuration
./configuration/hardware-specific/vm.nix
];
};
in {
default = vm.config.system.build.vm;

7
keys/production.yaml
View file

@ -2,6 +2,9 @@ nextcloud:
tlater: ENC[AES256_GCM,data:zNsPm4uFaIRe3LjcwmayRg==,iv:5wam6bP5zP708jC9UrLV0s8qspl3Pm4fPzbMFYBUyPQ=,tag:apnJUMeJwMn9q0NhO4ptmA==,type:str]
steam:
tlater: ENC[AES256_GCM,data:HNsve/Wid40ftclO9n09yXg=,iv:VQxAz4eR9lfxEvM0zl1FpJpbKrEFxjIYLyCqL9Aool0=,tag:LHcpHCXAHe8p2kOvOnKXyw==,type:str]
heisenbridge:
as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str]
hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str]
turn:
env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str]
secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str]
@ -14,8 +17,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2022-11-05T18:45:55Z"
mac: ENC[AES256_GCM,data:xPCfjqVkewEqrUjHroXa9RGHITntVj2uGPaRZfj0lqTUPFG6GQDn3Yq6L6cV3EPOYQ4OedJlaVXy05OHkzZwjYEbBQVGQ0aH/ZOP7X301eebBX5MvHLFU4mcnjMITWGH/E7SXz3pPF75s9eM/onx374PcQt6zevbBF+Jp0Fz71I=,iv:84JL69nF3ougygMAVFOoTaCn37thvm4lF6HYdgTiftg=,tag:ATQ18acehgUAE/dX+vYugQ==,type:str]
lastmodified: "2023-02-21T10:51:11Z"
mac: ENC[AES256_GCM,data:uMqT+7ljd6t1RpF9IH7illO62pq5cERoAtJlRic5BNOeawy/+7ufVorhhya15m39WTKnlGyIY0MEd3tDueHBm4rjf+Pmh6PQ+owRv+deXHv0jXYWX2sz/6i1aYbv9DDMWsvNbkdidKEme+ctY6EVgjSjN5nxxcx+vH+u1OyQ3t0=,iv:VKXznTlMH34SOS+4dpfOVaoiiUTRmIbUMnTPNpyawvY=,tag:onA5C4o/tcGjdBxO9JxMGw==,type:str]
pgp:
- created_at: "2022-10-12T00:46:51Z"
enc: |

7
keys/staging.yaml
View file

@ -2,6 +2,9 @@ nextcloud:
tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str]
steam:
tlater: ENC[AES256_GCM,data:jcW4wacGzOQ=,iv:KstKGHflscSWDFXGbnAZUcsqGN4Ot+w7sRbsAUwZNHQ=,tag:n9sRWvaKSgagpIgV/NF/Og==,type:str]
heisenbridge:
as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str]
hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str]
turn:
env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
@ -14,8 +17,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-01-11T01:49:31Z"
mac: ENC[AES256_GCM,data:5IcHdNQ/mh6Jz60dlpgqbBtVGKYml4EOs7YXsBcejgAoPzZqEK+xb3f9+rq2G6sCcMXzROHJsdQUfp1wMgfp8DwVm4H+XO+SQh/E1kFuWO8G/IpXOT4P9RQC+wHxrVuxHd8pwl9CLv6uuMnO+FNg9TeWB2GAVxIBsY8JHwGN/BA=,iv:/Yqfij58LGNooyyhmr8aWCpknd4dN+b4iSvokVoDGls=,tag:XHm8Qcg75B1+pTOcgZubIQ==,type:str]
lastmodified: "2023-02-21T08:32:04Z"
mac: ENC[AES256_GCM,data:ZZtL4zYX7FsYeGJ1CcTq5AzRkrvOxIeCoVf77JyEj9k3gApm3k7z2eXe/D+8qvwahlleuvAqhVCUH/I5yHaQSjXXsHO1flULiTnQVk4hrX0fDwXp97NQwpvDovSRyGqx4F25dISfYLVhFpb+64yaPxqMzThVk+Q7Xn40GCY5PR8=,iv:xNeyqB5K2EBDDJEq72IDwpGqzKkAlcxHO6GlJY/iHmM=,tag:Qxz0GTQ/I4EsZhFZh2VxKg==,type:str]
pgp:
- created_at: "2022-10-12T16:48:23Z"
enc: |

22
lib/default.nix
View file

@ -1,9 +1,4 @@
{
lib,
nixpkgs,
sops-nix,
tlaternet-webserver,
}: let
{lib}: let
inherit (lib.attrsets) mapAttrsToList;
inherit (lib.strings) concatStringsSep;
in {
@ -12,19 +7,4 @@ in {
(mapAttrsToList
(host: vm: "hostfwd=::${host}-:${vm}")
portMapping);
makeNixosSystem = {
system,
extraModules,
}:
nixpkgs.lib.nixosSystem {
inherit system;
modules =
[
sops-nix.nixosModules.sops
tlaternet-webserver.nixosModules.default
(import ../configuration)
]
++ extraModules;
};
}